b"MEMORANDUM\n\n\nTO            :       Willie Gilmore\n                      Director\n                      Office of Management\n\nFROM          :       John P. Higgins, Jr.\n                      Acting Assistant Inspector General\n                      Analysis and Inspection Services\n\nSUBJECT        :      Results of the OIG Review of OM's Internal Controls Over the\n                      Procurement of Goods and Services (A&I 2000-004)\n\n\nINTRODUCTION\n\nThis memorandum transmits the results of our review of OM's internal controls over the\nprocurement of goods and services. This review is part of OIG's Department-wide\nreview of this area. The Department\xe2\x80\x99s management is responsible for establishing and\nmaintaining internal controls. We will transmit the Department-wide results to the\nDeputy Secretary with copies to the Assistant Secretaries when we complete our review.\nOn June 23, 2000, OIG staff discussed the results of this review with you, your Deputy\nDirector, Linda Stracke, and your Administrative Staff Director, Keith Berger.\n\nRESULTS\n\nBased on our review, we identified certain deficiencies that prevent OM from satisfying\nGAO\xe2\x80\x99s Standards for Internal Control in the Federal Government. For your information\nand corrective action, those deficiencies are listed in the attached chart (Attachment A).\nIn the future, we anticipate conducting a follow-up review to assess the actions you have\ntaken to satisfy GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government.\n\nIn addition, we want to advise you and OM managers of inherent vulnerabilities we\nidentified in two Department procurement systems.\n\n\xc3\xbc Purchase Cards \xe2\x80\x93 For efficiency reasons, the Department designed a purchase card\n  system where cardholders can order, receive and approve payments for goods and\n  services. Consequently, as a control, the Department established approving officials\n  to review the use of purchase cards. Therefore, it is important that approving officials\n\x0c   properly review all cardholder statements, including invoices, before forwarding them\n   to OCFO for payment.\n\n\xc3\xbc Third Party Draft System (TPDS) \xe2\x80\x93 An individual with signature authority can issue\n  TPDS checks without the involvement of anyone else. Therefore, it is important that,\n  at a minimum, the supervisor of the individual with signature authority conduct\n  periodic reviews of sample TPDS disbursements.\n\nDuring our review, we noted that some OM employees assigned purchase cards are\nbelow the minimum grade level (GS-9) required to receive annual ethics training.\nBecause of their procurement responsibilities, we believe that ethics training would\nbenefit these employees. Management should require them to attend annual ethics\ntraining.\n\nOTHER MATTERS\n\nDuring our review, we interviewed some OM and OCFO staff members about contracts\ninvolving the purchase of goods and services. We did not review contract files. Based\non our limited work in this area, we identified the following issues that management\nshould consider for further review.\n\n       Control Environment \xe2\x80\x93 A good internal control environment requires that areas\n       of authority and responsibility be clearly defined and reporting lines be clearly\n       established. Two of the OM staff that OCFO identified as Contracting Officers\n       Technical Representatives (COTRs) were not COTRs. They were Project Task\n       Managers that perform duties similar to a COTR but for which there is no specific\n       training requirement.\n\n       Risk Assessment \xe2\x80\x93 OM is responsible for several contracts involving the\n       purchase of goods and services. There is no formal risk assessment process for\n       these contracts. OM should review these processes periodically to determine if\n       risks have changed and whether it is managing existing risks appropriately.\n\n       Control Activities/Monitoring \xe2\x80\x93 Past concerns raised by the OIG in the areas of\n       property passes and mail management have not been fully addressed by OM.\n       These concerns are contained in an OIG Investigative Advisory Program Report\n       on Inventory Management (November 1994), a Management Review of Personal\n       Property Management (November 1998) and an OIG Discussion Paper entitled\n       \xe2\x80\x9cMail Management\xe2\x80\x9d (June 1997).\n\nThe Executive Officer discontinued the purchase cards for certain OM employees\nbecause those cardholders were not following proper procedures. Such actions are\nappropriate and necessary to maintain an effective control environment.\n\x0cOBJECTIVE\n\nOur review objective was to assess the internal controls over compliance with laws and\nregulations for the procurement of goods and services other than studies or evaluations.\n\nSCOPE\n\nWe limited our work to procurements in Washington, D.C. (Headquarters). Although we\ninterviewed staff regarding contracts for the purchase of goods and services, we did not\nreview contract files. We limited testing of accounting records to procurements using the\nThird Party Draft System (TPDS) and Purchase Cards. We did not conduct testing on\nOM\xe2\x80\x99s use of the \xe2\x80\x9cCorporate\xe2\x80\x9d Government Travel Account.\n\nMETHODOLOGY\n\nTo achieve our objectives, we conducted interviews with OM staff who were involved\nwith the procurement process and reviewed relevant documents. As part of our work, we\nreviewed 49 TPDS checks issued between October 1998 through September 1999 (FY\n1999) and October 1999 through March 2000 (FY 2000).\n\nWe also judgmentally selected a sample of 21 card statements and then selected 49\npurchases to review for the periods ending October 16, 1998 and February 16, 2000, thus\ndisregarding any transactions dated prior to October 1, 1998. The OCFO provided us\nwith a list of 18 cardholders in Headquarters. We reviewed card statements belonging to\n15 of the 18 cardholders in Headquarters. We did not include the card statements of the\ncardholder assigned flexiplace outside of Washington, D.C. because we were informed\nthat the documentation was maintained at the flexiplace. We were informed that two\ncardholders did not have activity during the timeframe we were reviewing; therefore, we\ndid not review any card statements or transactions of those two cardholders.\n\nWe based our conclusions about OM's internal controls on the information gathered\nduring our interviews and transaction testing. We conducted our interviews and\ntransaction testing between March 20, 2000 and May 2, 2000. We assessed OM's\ninternal controls based on GAO's Standards for Internal Control in the Federal\nGovernment issued November 1999. Attachment B to this memorandum contains a\nsummary of the GAO Standards. We conducted our work in accordance with the\nPresident's Council on Integrity and Efficiency (PCIE) Quality Standards for Inspection\ndated March 1993.\n\nWe appreciate the cooperation shown by your staff during our review. If you have any\nquestions regarding the results of this review, please call me at 205-5439.\n\n\nAttachments\n\n\ncc:    Deputy Secretary\n\x0c                                                                          Attachment B\n\n          GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government\n                        Components of Internal Control\n\n\xe2\x80\xa2   Control Environment \xe2\x80\x93 Management and employees should establish and maintain\n    an environment throughout the organization that sets a positive and supportive\n    attitude toward internal controls and conscientious management.\n\n    Factors:\n\n    3 Management and staff maintain and demonstrate integrity and ethical values.\n\n    3 Management maintains an active commitment to competence.\n\n    3 Management\xe2\x80\x99s philosophy and operating style exerts a positive influence on the\n      organization (especially toward information systems, accounting, personnel\n      functions, monitoring and audits).\n\n    3 Organizational structure is appropriately centralized or decentralized, and\n      facilitates the flow of information across all activities.\n\n    3 Agency delegates authority and responsibility and establishes related policies\n      throughout the organization in a manner that provides for accountability and\n      control.\n\n    3 Agency establishes human resource policies and practices that enable it to recruit\n      and retain competent people to achieve its goals.\n\n\xe2\x80\xa2   Risk Assessment \xe2\x80\x93 Internal controls should provide for an assessment of the risks the\n    agency faces from both external and internal sources.\n\n       Precondition: establishment of clear and consistent agency objectives.\n\n       Risk assessment : the comprehensive identification and analysis of relevant risks\n       associated with achieving agency objectives, like those defined in strategic and\n       GPRA annual performance plans, and forming a basis for determining how the\n       agency should manage risks.\n\n       Risk identification: methods may include qualitative and quantitative ranking\n       activities, management conferences, forecasting and strategic planning, and\n       consideration of findings from audits and other assessments.\n\n       Risk analysis: generally includes estimating the risk\xe2\x80\x99s significance, assessing the\n       likelihood of its occurrence, and deciding how the agency should manage its risk.\n\x0c\xe2\x80\xa2   Control Activities \xe2\x80\x93 Internal control activities help ensure that employees carry out\n    management directives. The control activities should effectively and efficiently\n    accomplish agency control objectives.\n\n    3 The control activities are the policies, procedures, techniques, and mechanisms\n      that enforce management\xe2\x80\x99s directives. They help ensure that employees take\n      actions to address risks.\n\n    3 Control activities occur at all levels and functions of the entity, and include a wide\n      range of diverse activities such as approvals, authorizations, verifications,\n      reconciliations, performance reviews, maintenance of security, and creation and\n      maintenance of related records that document the execution of these activities.\n\n\xe2\x80\xa2   Information and Communications \xe2\x80\x93 Employees should record and communicate\n    information to management and others within the entity who need it in a form and\n    within a time frame that enables them to carry out their internal control (and other)\n    responsibilities effectively and efficiently.\n\n    3 An organization must have relevant, reliable, and timely communications relating\n      to internal as well as external events. Information is needed throughout the\n      agency to achieve all its operational and financial objectives.\n\n    3 Effective communications should occur in a broad sense with information flowing\n      down, across, and up the organization.\n\n    3 Management should ensure there are adequate means of communicating with, and\n      obtaining information from, external stakeholders that may have a significant\n      impact on the agency achieving its goals.\n\n\xe2\x80\xa2   Monitoring \xe2\x80\x93 Internal control monitoring should assess the quality of performance\n    over time and ensure that audit and other review findings are promptly resolved.\n\n    3 Includes regular management and supervisory activities, comparisons,\n      reconciliations, and other actions employees take in performing their duties.\n\n    3 Should include policies and procedures for ensuring that audit and other review\n      findings are promptly resolved.\n\x0cInternal Control Evaluation Form for the Office of Management                                                 Attachment A\n\n\nControl Component     Deficiencies\nControl Environment   \xe2\x80\xa2 Assignment of Authority \xe2\x80\x93 One purchase cardholder has an approved single purchase limit of $80,000\n                         but only has a warrant for $25,000.\n                      \xe2\x80\xa2 Assignment of Authority \xe2\x80\x93 One cardholder stated that she had never used her purchase card and was\n                         unable to locate the card.\n                      \xe2\x80\xa2 Training \xe2\x80\x93 While the cardholders we interviewed had taken the required purchase card training, and\n                         some of these cardholders and the Executive Officer had also taken simplified acquisitions training, the\n                         staff had not received recent or refresher training.\n                      \xe2\x80\xa2 Training \xe2\x80\x93 As noted below, a significant number of purchase card statements were not signed by\n                         approving officials. One of the three approving officials we interviewed could not remember taking\n                         purchase card training and another stated that additional training would be useful.\n\nRisk Assessment       \xe2\x80\xa2   Identification of Risks \xe2\x80\x93 OM has no formal procedures for risk assessment in the procurement area. The\n                          Executive Officer also informed us that he was not involved in the Federal Managers\xe2\x80\x99 Financial Integrity\n                          Act (FMFIA) process.\n                      \xe2\x80\xa2   Identification of Risks \xe2\x80\x93 Two procurement staff members have been assigned a moderate risk level when\n                          the employees\xe2\x80\x99 responsibilities suggest that a high-risk level is more appropriate. One procurement staff\n                          member has been assigned a low risk level when the employee\xe2\x80\x99s responsibilities suggest that a moderate\n                          risk level is more appropriate.\n\nControl Activities    \xe2\x80\xa2   Policies and Procedures \xe2\x80\x93 Although required by the Department\xe2\x80\x99s Directive on Commercial Credit Card\n                          Service (C:FIM:6-102) dated March 12, 1990, OM has no written policies and procedures on the\n                          purchase card process.\n                      \xe2\x80\xa2   Management review \xe2\x80\x93 The three approving officials we interviewed told us they reviewed the card\n                          statements and signed them. We selected and reviewed 21 card statements of various cardholders from\n                          OM files and noted that only 11 were signed by approving officials. We also reviewed the September\n\x0c                     1999 and March 2000 card statements for OM from files in OCFO.\n                           \xc3\xbc Eleven statements had balances in September 1999. One of those statements was missing from\n                              the OCFO files. Of the ten statements available for review, five were not signed by an\n                              approving official.\n                           \xc3\xbc Seventeen statements had balances in March 2000. All seventeen statements were in the OCFO\n                              files. Four of the 17 were not signed by an approving official and one was not signed by the\n                              cardholder.\n                 \xe2\x80\xa2   Approval \xe2\x80\x93 We reviewed 49 TPDS checks. The supporting document for one $909check was a contract\n                     modification. That contract modification was not signed by the Executive Officer.\n                 \xe2\x80\xa2   Documentation \xe2\x80\x93 We reviewed 49 TPDS checks. Documentation for one $830 TPDS check was not\n                     available. We reviewed 49 charges to purchase cards. Documentation was not available for two charges\n                     ($225 and $17) to purchase cards. Both charges were on the same cardholder\xe2\x80\x99s account.\n                 \xe2\x80\xa2   Recordkeeping \xe2\x80\x93 OM did not have a log to track the TPDS checks assigned to the office. Such a log\n                     would allow OM to identify any missing checks.\n\nInformation &    \xe2\x80\xa2   Communication of Key Information \xe2\x80\x93 The procurement staff that we interviewed were not familiar with\nCommunications       the Department\xe2\x80\x99s Directive on Commercial Credit Card Service.\n                 \xe2\x80\xa2   Communication of Key Information \xe2\x80\x93 The Department\xe2\x80\x99s Directive on Commercial Credit Card Service\n                     has not been republished since 1990.\n\nMonitoring       \xe2\x80\xa2   On-going Monitoring \xe2\x80\x93 The supervisor of the individual with signature authority for TPDS checks does\n                     not perform periodic reviews of the EDCAPS reports on the checks issued by OM.\n                 \xe2\x80\xa2   On-going Monitoring \xe2\x80\x93 Two of the three approving officials we interviewed indicated that they did not\n                     review the supporting documents for the card statements.\n\x0c"